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Abstract 

We study complexity of the mo del- checking problems for LTL with registers (also known as freeze LTL 
and written LTL"'') and for first-order logic with data equality tests (written F0('^, <, +1)) over one-counter 
automata. We consider several classes of one-counter automata (mainly deterministic vs. nondeterministic) 
and several logical fragments (restriction on the number of registers or variables and on the use of preposi- 
tional variables for control states). The logics have the ability to store a counter value and to test it later 
against the current counter value. We show that model checking LTL"*" and F0(~, <, -1-1) over deterministic 
one-counter automata is PSPACE-complete with infinite and finite accepting runs. By constrast, we prove 
that model checking LTL"^ in which the until operator U is restricted to the eventually F over nondetermin- 
istic one-counter automata is I]}-complete [resp. E^'Complete] in the infinitary [resp. finitary] case even if 
only one register is used and with no prepositional variable. As a corollary of our proof, this also holds 
for F0('^, <, -1-1) restricted to two variables (written F02('~, <, -1-1)). This makes a difference with the 
facts that several verification problems for one-counter automata are known to be decidable with relatively 
low complexity, and that finitary satisfiability for LTL"'' and F02('"^, <, +1) are decidable. Our results pave 
the way for model-checking memoryful (linear-time) logics over other classes of operational models, such as 
reversal-bounded counter machines. 

Keywords: one-counter automaton, temporal logic, first-order logic, computational complexity 



1. Introduction 

Logics for data words. Data words are sequences in which each position is labelled by a letter from a 
finite alphabet and by another letter from an infinite alphabet (the datum). This fundamental and simple 
model arises in systems that are potentially unbounded in some way. Typical examples are runs of counter 
systems [ij, timed words accepted by timed automata [2^| and runs of systems with unboundedly many 
parallel components (data are component indices) Q. The extension to trees makes also sense to model XML 
documents with values, see e.g. [J, l5|,|6|. In order to really speak about data, known logical formalisms for 
data words/trees contain a mechanism that stores a value and tests it later against other values, see e.g. 
This is a powerful feature shared by other memoryful temporal logics [ol. Il0l|. However, the satisfiability 
problem for these logics becomes easily undecidable even when stored data can be tested only for equality. 
For instance, first-order logic for data words restricted to three individual variables is undecidable tS] and 
LTL with registers (also known as freeze LTL) restricted to a single register is undecidable over infinite data 
words Q. By contrast, decidable fragments of the satisfiability problems have been found in (ill. [tL [l2l. [sl. 
either by imposing syntactic restrictions (bound the number of registers, constrain the polarity of temporal 
formulae, etc.) or by considering subclasses of data words (finiteness for example). Similar phenomena 
occur with metric temporal logics and timed words [3 [13 ■ A key point for all these logical formalisms is 
the ability to store a value from an infinite alphabet, which is a feature also present in models of register 
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automata, see e.g. [l^ . 17 . isl . T^ . However, the storing mechanism has a long tradition (apart from its 



ubiquity in programming languages) since it appeared for instance in real-time logics [2^ (the data are time 
values) and in so-called hybrid logics (the data are node addresses), see an early undecidability result with 
reference pointers in [2l|. Meaningful restrictions for hybrid logics can also lead to decidable fragments, see 
e.g. [H. 

Our motivations. In this paper, our main motivation is to analyze the effects of adding a binding 
mechanism with registers to specify runs of operational models such as pushdown systems and counter 
automata. The registers are simple means to compare data values at different points of the execution. 
Indeed, runs can be naturally viewed as data words: for example, the finite alphabet is the set of control 
states and the infinite alphabet is the set of data values (natural numbers, stacks, etc.). To do so, we enrich 
an ubiquitous logical formalism for model-checking techniques, namely linear-time temporal logic LTL, with 
registers. Even though this was the initial motivation to introduce LTL with registers in [12], most decision 
problems considered in [l2, 13, ^ are essentially oriented towards satisfiability. In this paper, we focus on 
the following type of model-checking problem: given a set of runs generated by an operational model, more 
precisely by a one-counter automaton, and a formula from LTL with registers, is there a run satisfying the 
given formula? In our context, it will become clear that the extension with two counters is undecidable. It 
is not difficult to show that this model-checking problem differs from those considered in [l^, [l3 and from 
those in [^^QiEBl dealing with so-called hybrid logics. However, since two consecutive counter values in a 
run are ruled by the set of transitions, constraints on data that are helpful to get fine-tuned undecidability 
proofs for satisfiability problems in [iz, ^ may not be allowed on runs. This is precisely what we want to 
understand in this work. As a second main motivation, we would like to compare the results on LTL with 
registers with those for first-order logic with data equality tests. Indeed, LTL (with past-time operators) and 
first-order logic are equivalently expressive by Kamp's theorem, but such a correspondence in presence of 
data values is not known. Our investigation about the complexity of model-checking one-counter automata 
with memoryful logics include then first-order logic. 

Our contribution. We study complexity issues related to the model-checking problem for LTL with 
registers over one-counter automata that are simple operational models, but our undecidability results 
can be obviously lifted to pushdown systems when registers store the stack value. Moreover, in order to 
determine borderlines for decidability, we also present results for deterministic one-counter models that are 
less powerful but remain interesting when they are viewed as a mean to specify an infinite path on which 
model checking is performed, see analogous issues in [2^. 

We consider several classes of one-counter automata (deterministic, weakly deterministic and nonde- 
terministic) and several fragments by restricting the use of registers or the use of letters from the finite 
alphabet. Moreover, we distinguish finite accepting runs from infinite ones as data words. Unlike results 
from 

0, [isl . H, [l3|, the decidability status of the model checking does not depend on the fact that we 
consider finite data words instead of infinite ones. In this paper, we establish the following results. 

• Model checking LTL with registers [resp. first-order logic with data equality test] over deterministic 
one-counter automata is PSPACE-complete (see Sect. 13.31) . PSPACE-hardness is established by reducing 
QBF and it also holds when no letters from the finite alphabet are used in formulae. In order to get 
these complexity upper bounds, we translate our problems into model-checking first-order logic without 
data equality test over ultimately periodic words that can be solved in polynomial space thanks to (26| . 

• Model checking LTL with registers over nondeterministic one-counter automata restricted to a unique 
register and without alphabet is S]}-complete in the infinitary case by reducing the recurrence problem 
for Minsky machines (see Sect.|4]). In the finitary case, the problem is shown Ej-complete by reducing 
the halting problem for Minsky machines. These results are quite surprising since several verification 
problems for one-counter automata are decidable with relatively low complexity [27l.[28l.i2&]. Moreover, 
finitary satisfiability for LTL with one register is decidable Q even though with non-primitive recursive 
complexity. These results can be also obtained for first-order logic with data equality test restricted to 
two variables by analysing the structure of formulae used in the undecidability proofs and by using 

Figure [T] contains a summary of the main results we obtained; notations are fully explained in Section[5] For 
instance, MC(LTL)"[X, F] refers to the existential model-checking problem on infinite accepting runs from 
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Figure 1: Summary of main results 



one-counter automata with freeze LTL restricted to the temporal operators "next" and "sometimes", and 
to a unique register. Similarly, MC(F0)2 ['^j <] refers to the existential mo del- checking problem on finite 
accepting runs from one-counter automata with first-order logic on data words restricted to two individual 
variables. 

Plan of the paper. In Sect. [2j we introduce the model-checking problem for LTL with registers over 
one-counter automata as well as the corresponding problem for first-order logic with data equality test. In 
Sect. [31 we consider decidability and complexity issues for model checking deterministic one-counter au- 
tomata. In Sect. 131 several model-checking problems over nondeterministic one-counter automata are shown 
undecidable. 

This paper is an extended version of (30| that also improves significantly the results about the P Space upper 
bounds and the undecidability results, in particular by considering first-order language over data words. 

2. Preliminaries 

2.1. One-counter automaton 

Let us recall standard definitions and notations about our operational models. A one-counter automaton 
is a tuple A — {Q, qi, 6, F) where: 

• Q is a finite set of states, 

• qi E Q is the initial state, 

• F C Q is the set of accepting states, 

• S ^ Q X L X Q is the transition relation over the instruction set L — {inc. dec, if zero}. 

A counter valuation v is an element of N and a configuration of is a pair in Q xN. The initial configuration 
is the pair {qj , 0) . As usual, a one-counter automaton A induces a (possibly infinite) transition system 
{Q X N, ^) such that {q, n) {q' , n') iff one of the conditions below holds true: 

1. (g, inc, q') G 5 and n' = n + 1, 

2. {q, dec, q') G 5 and n' = n - I (and n' G N), 

3. (g, if zero, q') G 5 and n = n' = Q. 

A finite [resp. infinite] run p is & finite [resp. infinite] sequence p = {qQ,no) — >■ {qi,ni) — > ■ • • where (goj^-o) 
is the initial configuration. A finite run p = {qo,no) (91, ni) —>■•••—;■ {qf,nf) is accepting iff qf is 
an accepting state. An infinite run p is accepting iff it contains an accepting state infinitely often (Biichi 
acceptance condition). All these notations can be naturally adapted to multicounter automata. 

A one-counter automaton A is deterministic whenever it corresponds to a deterministic one-counter 
Minsky machine: for every state q, 

• either A has a unique transition from q incrementing the counter, 

• or ^ has exactly two transitions from q, one with instruction if zero and the other with instruction 
dec. 
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• or ^ has no transition from q (not present in original deterministic Minsky machines [l| 



In the transition system induced by any deterministic one-counter automaton, each configuration has at 
most one successor. One-counter automata in fuU generahty are understood as nondeterministic one-counter 
automata. 

2.2. LTL over data words 

Formulae of the logic LTL"'"'^ [8] where S is a finite alphabet are defined as follows: 

(j) y.^ a I tr I -'0 I A I 0U(/) I Xcj) \ ir <P 

where a G S and r ranges over N \ {0}. We write LTL"'' to denote LTL with registers for some unspecified 
finite alphabet. An occurrence of tr within the scope of some freeze quantifier J,^ is bound by it; otherwise 
it is free. A sentence is a formula with no free occurrence of any f^- Given a natural number n > 0, we write 
LTL;^'^ to denote the restriction of LTL"'"^ to registers in {1, . . . , n}. Models of LTL"""^ are data words. A 
data word a over a finite alphabet E is a non-empty word in E* or E"^, together with an equivalence relation 

on word indices. We write \a\ for the length of the data word, a{i) for its letters where < « < \a\. Let 
E*('-^) [resp. E'^(~)] denote the sets of all such finite [resp. infinite] data words. We denote by E°°('-^) the 
set E*(~) U E'^(^) of finite and infinite data words. 

A register valuation v for a data word cr is a finite partial map from N\ {0} to the indices of a. Whenever 
v{r) is undefined, the formula fr is interpreted as false. Let cr be a data word in E°°(~) and < i < \a\, 
the satisfaction relation ^ is defined as follows (Boolean clauses are omitted). 

a{i) = a 

r G dom(u) and v{r) i 

i + I < |ct| and cr, i + 1 ^„ (j) 

for some i < j < |cr|, cr, j \=y (j)2 
and for all i < j' < j, we have cr, j' \=y (f>i 

cr, « hv[r^t] 

?;[r I— > i] denotes the register valuation equal to v except that the register r is mapped to the position i. In 
the sequel, we omit the subscript "v" in \=v when sentences are involved. We use the standard abbreviations 
for the temporal operators (G, F, G+, F+, . . . ) and for the Boolean operators and constants (V, T, ±, 
...). The finitary [resp. infinitary] satisfiability problem for LTL with registers, noted ^-SAT-LTL-I- [resp. 
w-SAT-LTL-^[, is defined as follows: 

Input: A finite alphabet E and a formula cj) in LTL"*"'^; 

Question: Is there a finite [resp. an infinite[ data word cr such that cr, [= (/>? 

Theorem 1. 0, Theorem 5.2] *-SAT-LTL^ restricted to one register is decidable with non-primitive recur- 
sive complexity and uj-SAT-LTL^ restricted to one register is Hi-complete. 

Given a one-counter automaton A = {Q, qi, (5, i^), finite [resp. infinite[ accepting runs of A can be viewed 
as finite [resp. infinite] data words over the alphabet Q. Indeed, given a run p, the equivalence relation 
is defined as follows: i j iff the counter value at the ith position of p is equal to the counter value at 
the jth position of p. In order to ease the presentation, in the sequel we sometimes store counter values in 
registers, which is an equivalent way to proceed by slightly adapting the semantics for tr and J,^, and the 
values stored in registers (data). 

The finitary [resp. infinitary] (existential) model-checking problem over one-counter automata for LTL 
with registers, noted MC(LTL)* [resp. MC(LTL)"|, is defined as follows: 

Input: A one-counter automaton A = {Q, qi, S, F) and a sentence (p in LTL"'"'^; 



. I def 

cr, t \=y a <^ 

■ I ^ def 

cr, I [=1, tr ^ 

• I ,r 1 def 

cr, t X(p <iF^ 

cr, i (?!)iU(/)2 

■ I II def 

ir <P 
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Question: Is there a finite [resp. infinite] accepting run p oi A such that p,0 \= (p? If the answer is "yes", 
we write A[^* (/) [resp. ^ |=" i/i]. 

In this existential version of model checking, this problem can be viewed as a variant of satisfiability in which 
satisfaction of a formula can be only witnessed within a specific class of data words, namely the accepting 
runs of the automata. Results for the universal version of model checking will follow easily from those for 
the existential version. 

We write MC(LTL)^ to denote the restriction of MC(LTL)" to formulae with at most n registers. Very 
often, it makes sense that only counter values are known but not the current state of a configuration, which 
can be understood as an internal information about the system. We write PureMC(LTL)" to denote the 
restriction of MC(LTL)" (its "pure data" version) to formulae with atomic formulae only of the form 'fr- 
Given a set O of temporal operators, we write MC(LTL)"[0] [resp. PureMC(LTL)" [0]] to denote the 
restriction of MC(LTL)" [resp. PureMC(LTL)"] to formulae using only temporal operators in O. 

Example 1. Here are some properties that can be stated in LTLj'*^ along a run. 
• "There is a suffix such that all the counter values are different": 

FGdi ti)- 



• "Whenever state q is reached with current counter value n and next current counter value m, if there 
is a next occurrence of q, the two consecutive counter values are also n and m ": 

G{q =^;iX;2 XG(g ^tl A Xt2)). 

Observe also that we have chosen as alphabet the set of states of the automata. Alternatively, it would 
have been possible to add finite alphabets to automata, to label each transition by a letter and then consider 
as data words generated from automata the recognized words augmented with the counter values. This choice 
does not change our main results but it improves the readability of some technical details. 

2.3. First- order logic over data words 

Let us introduce the second logical formalism considered in the paper. Formulae of F0^(-, <, +1) 
where S is a finite alphabet are defined as follows: 

a(x) | x--y | x<y | x = y+l | -^(j> \ (j) A (j> \ 3 x cf) 

where a G T, and x ranges over a countably infinite set of variables. We write F0('^,<,+1) to denote 
F0^(~, <, +1) for some unspecified finite alphabet and F0(<, +1) to denote the restriction of F0(^, <, +1) 
without atomic formulae of the form x ^ y. Given a natural number n > 0, we write F0^(~,<,+1) to 
denote the restriction of F0^('^, <, +1) to variables in {xi, . . . , x„}. A variable valuation u for a data word 
tJ is a finite partial map from the set of variables to the indices of a. Let cr be a data word in the 
satisfaction relation \= is defined as follows (Boolean clauses are again omitted): 

u(x) is defined and a(u{x)) = a 
u{x) and u{y) are defined and u{x) u(y) 
u{x) and u(y) are defined and u(x) < u(y) 
u(x) and u(y) are defined and u{x) = u(y) + 1 
there is « e N such that < i < |(t| and a |=„[xH->i] 

u[x M- z] denotes the variable valuation equal to u except that the variable x is mapped to the position i. In 
the sequel, we omit the subscript "u" in |=„ when sentences are involved. 

The finitary [resp. infinitary] (existential) model-checking problem over one-counter automata for the 
logic F0^(-, <, +1), noted MC(FO)* [resp. MC(FO)"] is defined as follows: 



cr |=u a(x) 
a X - y 
a \=u X < y 
a \=u X = y + 1 
(T h u 3x0 



def 

<^ 

def 

<^ 

def 

<^ 

def 
def 
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Input: A one-counter automaton A and a sentence (p in F0'^(^, <, +1); 

Question: Is there a finite [resp. infinite] accepting run p of A such that p \= (j)? If the answer is "yes", we 
write A\^* 4> [resp. A\^'^ (j)]. 

We write MC(FO)" to denote the restriction of MC(FO)" to formulae with at most n variables. We 
write PureMC(FO)^ to denote the restriction of MC(FO)^ (its "pure data" version) to formulae with no 
atomic formulae of the form a(x). 

Extending the standard translation from LTL into first-order logic, we can easily establish the result 
below. 

Lemma 2. Given a sentence (j) in LTL^'^, there is a first- order formula (/)' in F0^('^,<,+1) that can be 
computed in linear time m |(/)| such that 

1. (j)' has at most max{S,n + 1) variables, 

2. (j)' has a unique free variable, say jq, 

3. for all data words a, register valuations v and i > 0, we have a,i \=y 4> iff a \=u <t>' ! where for 
r G {1, . . . , n}, v{r) — li(xr) and u{jo) = 

Proof. We build a translation function T which takes as arguments a formula in LTL^'^ and a variable, 
and which returns the wanted formula in F0^(~, <, +1). Intuitively the variable, which is given as argu- 
ment, is used to represent the current position in the data word. Then, we use the variables xi, . . . ,Xr to 
characterize the registers. We add to this set of variables three variables yo,yi and y2. In the sequel, we 
write y to represent indifferently yo or yi or y2. Furthermore the notation y^+i stands for y(i+i)mod(3) and 
yi+2 stands for y (i+2)mod{3) ■ The function T, which is homomorphic for the Boolean operators, is defined 
inductively as follows, for i G {0,1,2}: 

• T{a,y) = a(y), 

• T{X(j), yj) = 3 y,;+i (y^+i = y, + 1 A T((/), y^+i)), 

• T{(f>\]il;,Yi) = 3 yi+i (y^ < y^+i AT(V',yi+i) AV y.i+2 (yi < Yt+2 < Yt+i T((/), y,+2)), 

• T{ir 0, y) = 3 Xr (xr = y A T{(f), y)). 

Then if (/> is a formula in LTL^^'^ and yo is the variable chosen to characterize the current position in the 
word, the formula T((/),yo) satisfies the three conditions given in the above lemma. In order to ensure the 
first condition, we use the fact that we can recycle the variables. More details about this technique can be 
found in (U. □ 
The decidability borderline for F0('^, <, +1) is between two and three variables. 

Theorem 3. 0, Theorem 1, Propositions 19 & 20] Satisfiability for F0{'^, <, +1) restricted to 3 variables 
is undecidable and satisfiability for F02{^, <, +f) is decidable (for both finitary and infinitary cases). 

In Section |3] we will use Theorem 2] below in an essential way. 

Theorem 4. f2di . Proposition 4. 2] Given two finite words s,t G S* and a sentence (p in F0^(<,4-1), 
checking whether s • \= 4> can be done in space 0{(\s\ + \t\) x 
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2.4- Purification of the model- checking problem 

We now show how to get rid of propositional variables by reducing the model-checking problem over 
one-counter automata to its pure version. This amounts to transform any MC(LTL) instance into a 
PureMC(LTL) instance. 

Lemma 5 (Purification for LTL"''). Given a one-counter automaton A and a sentence (j) in LTL^''^''^, one 
can compute in logarithmic space in \A\ + \4>\ a one-counter automaton Ap and a formula (j)p in LTL^^^j.^ -^^ 
such that A \=* (j) fresp. A |=" (j)] iff Ap |=* (t>p [resp. Ap 1==" (j^pj- Moreover, A is deterministic iff Ap is 
deterministic. 

The idea of the proof is simply to identify states with patterns about the changes of the unique counter 
that can be expressed in LTL"'"®. 

Proof. Let A = {Q, qi, d, F) with Q — {qi, . . . , q^} and (j) be an LTL''"''^ formula. In order to define Ap, 
we identify states with patterns about the changes of the unique counter. Let Ap be {Qp, qi, Sp, Fp) with 
Qp = Q^Q' and Q' is defined below: 

Q' = Ul^lh ih til <li,F I i e {1, . . . , m}} 

I i e {1, . . . ,m} and j G {1, . . . , m -|- 1} and i ^ j] 

^{(ilii<ii,iiqhi(ili I * e {1,...,™}}. 

Figure [5] presents the set of transitions 5p associated with each state qi of Q (providing a pattern). Further- 
more, for alH, j G {1, . . . , m}, qi^p ^ qj G Sp iff qt qj G S. The sequence of transitions associated to each 
qi Q is a sequence of m -|- 2 picks and among these picks, the first pick is the only one of height 3, the 
i-ih pick is the only one of height 2, and the height of all the other picks is 1. Observe that this sequence 
of transitions has a fixed length and it is composed of exactly 9 -I- 2(m -I- 1) states. 



dec 




Figure 2: Encoding Qi by a pattern made of m + 2 picks and of length 9 + 2(m + 1) 

Finally, the set of accepting states of Ap is defined as the set {qi^F \ qi G F}. In order to detect the first 
pick of height 3 which characterizes the beginning of the sequence of transitions associated to each state 
belonging to Q, we build the two following formulae in LTLj' : 

• (^-,3/7 which expresses that "among the 7 next counter values (including the current counter value), 
there are no 3 equal values", 

• V5o^6 which expresses that "the current counter value is equal to the counter value at the 6th next 
position". 

These two formulae can be written as follows: 

^.3/7 - -(ii (V.^,e{i,...,6}(XniAX^ ti)) 
VXii (V.^,e{i,...,5}(xni AF ti)) 
VX^ ;i (V.^,6{i 4}(X' ti AX^i)) 

vx^ ii (V.^,e{i,2.3}(xni Axni)) 

VX" U (V.^,e{o}(xni AX^' ti))) 
<Po~6 = ii (X^ ti) 
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We write STA to denote the formula ¥'-.3/7 A <^o~6- 

Let p he a run of Ap and j be such that < j < \p\. We show that (1) p, j |= STA iff (2) (p, j \= q 
for some q £ Q and j + 6 < |p|). fn the sequel, we assume that j + 6 < \p\ since otherwise it is clear that 
p, j ^ STA. By construction, it is clear that (2) implies (1). In order to prove that (1) implies (2), we show 
that if p,j ^ q for some q £ Qp\Q and j + 6 < \p\, then p,j y= STA. Wc perform a systematic case analysis 
according to the type of q (we group the cases that require similar arguments): 

1. If q is of the form with z € {2, . . . , to}, then p, j ^ </?o--6- When 5 is g^, p, j ^ '■P-.z/i- 

2. If g is of the form qf with i G {1, .... m}, then p, j Y= '/'o^e- 

3. If g is of the form q^ with z e {1, . . . , to} \ {2}, then p, j ^ i^o~6- When q is g^, p, j ^ ^^3/7- 

4. If g is of the form qi^i with i G {2, . . . , m — 1}, then p,j y= (po~6- When q is g„i,m and an incrementation 
is performed after g^.F, we have p,j ^ '^-.s/y- If another action is performed, then we also have 

9,3 ^ ¥'0-6 • 

5. If q is of the form either or with i £ {1, . . . , to}, then p, j ^ '■P^^/t- 

6. If g is of the form either or g^^ j with i € {1, .... to.}, then p, j ^ (^-,3/7. 

7. If g is of the form qf^ with i G {!,..., to}, then p,j ^ V^3/7 (the case i = m requires a careful 
analysis). 

8. If g is of the form gj^fe for some i G {1, . . . , to}, /c G {1, . . . , to — 1} such that either |i — A;| > 2 or /c > i, 
then p,j ^ (^^3/7. 

9. If g is of the form qi^i-i with i G {2, . . . , to}, then p, j y= <P-,3/7. 

10. If g is of the form gi,i_2 with i G {3, . . . , to}, then p, j ^ ^^3/7- 

11. If g is of the form gj^^ with i G {1, . . . , to — 1}, then p,_7 ^ ^^3/7- 

12. If g is of the form qi.m+i with i G {1, . . . , m} and an action different from decrementation is performed 
after qi^p, then p,j ^ <po~6- When a decrementation is performed after qi^p, we get p, j \= <po~6 A 

~'</'-.3/7- 

13. If g is of the form q[ for some i G {1, . . . , to}, G {1, . . . , to — 1} such that either \i — k\ > 2 or k > i, 

then p,j ^ ip^3/7. 

14. If g is of the form g^ with i G {2, . . . , to}, then p, 7 ^ ip^^/-Y. 

15. If g is of the form g^ with i G {3, . . . , to}, then p, j ^ <p^3/7- 

16. If g is of the form g- ^ with i G {1, . . . , m}, then p, j ^ ip^3/7- 

17. If g is of the form g- ^^^^ with i G {1, . . . , to}, then p, j ^ <y9o~6- Indeed, the 6th next position, if any, 
is of the form g| for some G {1, . . . , to}. The counter value at such a position is strictly greater than 
the one at the position j whatever is the action performed after qi^p. 

18. If g is of the form qi^p with i G {1, . . . , rn} and the action performed after qi^p is not a decrementation, 
then p, j ^ (po~6- When a decrementation is performed after qi^p, we get p,j \= (/?o~6 A -^ip^^^T. 

For i G {1, . . . , to}, let us define the formula = X^+^('~^) |i X^-i fi. One can check that in the run of 
Ap, STA A holds true iff the current state is g^ and there are at least 6 following positions. 

Let be a formula in LTL^'*^. We define (pp as the formula T((p) such that the map T is homomorphic 
for Boolean operators and 4,^, and its restriction to tr is identity. The rest of the inductive definition is as 
follows. 

• T(gi) = (t>i, 

• T(X^) = x9+2(™+i)+iT(^), 

• T(#0') = (STA ^ T(0))U(STA A T{(f)')). 

Observe that (j) and i/ip have the same amount of registers unless (j) has no register. For each accepting 
run in A, there exists an accepting run in and conversely for each accepting run in ^p, there exists an 
accepting run in A. Furthermore the sequence of counter values for the configurations of each of these runs 
which have a state in Q match. □ 

Lemma 6 (Purification for FO(~, <, +1)). Given a one-eounter automaton A and an F0''(~, <, +1) sen- 
tence (j) with n variables, one can compute in logarithmic space in \A\ + 101 a one-counter automaton Ap 
and (j)p in F0®(~, <, +1) with at mostn + 2 variables such that A\=* (j) [resp. A (j)] iff Ap |=* (j)p [resp. 
Ap |=" (j}p]. Moreover, A is deterministic iff Ap is deterministic. 
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Proof. The proof follows the lines of the proof of Lemma [S] by considering the first-order formulae 
corresponding to the formulae STA and (pi and the same automaton construction. In order to make this 
construction feasible, we need to use formulae of the form x = y + fc. In fact, the formulae of the form 
X = y + 1 are translated into formulae of the form x = y + 9 + 2(TO + l) (this case is identical to the case 
of the formulae of the form X(f)) . Typically, encoding x = y + k for the constant k requires two auxiliary 
variables. For instance we can encode the formula x y + 4 as follows: 

3 y2 X = y2 + 1 A (3 yi y2 = yi + 1 A (3 y2 yi = y2 + 1 A y2 = y + 1)) 
Here again, we recycle the variables yi and y2. □ 



3. Model checking deterministic one-counter automata 

In this section, we show that MC(LTL)* and MC(LTL)'^ restricted to deterministic one-counter automata 
is PSPACE-complete. 

3.1. P Space lower bound 

We show below a PSPACE-hardness result by taking advantage of the alphabet of states by means of a 
reduction from QBF ("Quantified Boolean Formula") that is a standard PSPACE-complete problem. 

Proposition 7. PureMC(LTL)* and PureMC(LTL)'^ restricted to deterministic one-counter automata are 
PSPACE-hard problems. Furthermore, for PureMC(LTL)* [resp. PureMC(LTL)'^/ this results holds for 
formulae using only the temporal operators X and F [resp. Fj. 

Proof. Consider a QBF instance (f>: (p = Vpi 3p2 • • • Vp2Af-i 3 p2Ar ^'(pi, .•.,P2Af) where pi,...,p2Ar are 
propositional variables and 5'(pi, . . . , P2Ar) is a quantifier-free propositional formula built over pi, . . . , p2jv- 
The fixed deterministic one-counter automaton A below generates the sequence of counter values (01)". 




Let ip be the formula in LTL defined from the family V'l, • ■ • , 4'2N+i of formulae with ip =4-2Ar+i i^i- 

• 'lp2N+l = ^(tl'^t2Ar-|-l, • • ■ , t2Af^t2Af+l), 

• for i e {1, N}, = F(|2i V'2i+i) and V'2i~i = G{],2i~i ip2i)- 

One can show that (j) is satisfiable iff A \='^ ip. 

To do so, we proceed as follows. For i £ {0, 2, 4, 6, ... , 2A^}, let ipi be 

(f'i = Vpi+i 3pi+2 • • • Vp2Ar-i 3 P2Ar ^'(pi, ...,P2Ar). 

So 00 is precisely (p. Similarly, for i e {1,3,5,..., 2N ~ 1}, let (pi be 

Ipi = 3pt+l Vpi+2 • • • Vp2iV-l 3 P2JV ^'(Pl, ...,P2Ar)- 

Observe that the free propositional variables in (pi are exactly pi , . . . , p^ and (pi is obtained from (p by 
removing the i first quantifications. Given a propositional valuation v : {pi,...,pi} — t- {T, _L} for some 
i G {1, . . . , 2A^}, we write v to denote a register valuation such that its restriction to {1, . . . , i, 2N + 1} 
satisfies: u(pj) = T iff v{j) = for j G {1, . . . ,i} and v{2N -I- 1) = 0. One can show by induction that for 
k > 0, V \^ (pi-i (in QBF) iff p'^,k \=v ipi, where denotes the unique infinite run for A. Consequently, 
a V \= (p for some propositional valuation, then p^,0 tp. Similarly, if p^,0 tp, then there is a 
propositional valuation v' such that v' = v and v' \= (p. 

For the finitary problem PureMC(LTL)*, the above proof does not work because the occurrences of G 
related to universal quantification in the QBF formula might lead to the end of the run, leaving no choice 
for the next quantifications. Consequently, one need to use another deterministic one-counter automaton 
with AN + 1 states such that the sequence of counter values from the accepting run is (01)^^0 (again we 
omit useless if zero transitions). Let us consider the deterministic counter automaton A' below. 
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We shall build another formula ip in LTL"*" defined from the formulae below with ■0 =i2W+i ipi- 

• 4'2N+l — ^(tl'^t2Af+l, ■ • ■ , t2Ar<=>t2Ar+l), 

• for i e {1,...,A^}: 

- = F((X4^-«+2 T)A i2^ ^2^+l) and 

- V'2,-1 = G((x4^^-4*+4 T) ^12.-1 iJ2^)■ 

Herein, T holds for the truth value that can be encoded with 4,1 V-i 4-1 (remember there are no 
propositional variables in the pure version of the model-checking problems) . 

Using a similar proof by induction as the one done for the infinite case, we obtain that (j) is satisfiable iff 

A' h* V'- □ 
Observe that in the reduction for PureMC(LTL)'^, we use an unbounded number of registers (see Theo- 
rem [TJ]) but a fixed deterministic one-counter automaton. 
By Lemmas [5] and [21 we obtain the following corollary. 

Corollary 8. PureMC(FO)* anrf PureMC(FO)" restricted to deterministic one- counter automata are PSpace- 
hard problems. 

3.2. Properties on runs for deterministic automata 

Any deterministic one-counter automaton A has at most one infinite run, possibly with an infinite amount 
of counter values. If this run is not accepting, i.e. no accepting state is repeated infinitely often, then for no 
formula (f), we have A (f). We show below that we can decide in polynomial-time whether A has accepting 
runs either finite or infinite. Moreover, we shall show that the infinite unique run has some regularity. 

Let be the unique infinite run (if it exists) of the deterministic one-counter automaton A represented 
by the following sequence of configurations 

(9o,'^o) (92, "2) ■ • ■ 

Lemmainibelow is a key result to show the forthcoming PSpace upper bound. Basically, the unique run 
of deterministic one-counter automata has regularities that can be described in polynomial size. 

Lemma 9. Let A be a deterministic one-counter automaton with an infinite run. There are Ki, K2, Kinc 
such that Ki+ K2 < \Q\^ , Kinc < \Q\ and for every i> Ki, (gi+i^-^ , 71^+^2) = "-i + -f^inc)- 

Hence, the run can be encoded by its first Ki + K2 configurations. It is worth noting that we have 
deliberately decided to keep the three constants Ki, if 2 and Kmc in order to provide a more explicit analysis. 

Proof. (Lemma ini) We write ZERO(^) to denote the set of positions of where a zero-test has been 
successful. By convention, belongs to ZERO (.4) since in a run we require that the first configuration is 
the initial configuration of A with counter value 0. Hence, ZERO(y^) = {0} U {i > : Ui = yii+i = 0}. Let 
us first establish Lemma [TU] below. 

Lemma 10. Let i < j be in ZERO(^) for which there is no i < k < j with k G ZERO(^). Then, 
iJ-^)<\Q\'■ 
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The proof essentially establishes that the counter cannot go beyond \Q\ between two positions with 
successful zero-tests. 

Proof. (Lemma llOp First observe that there are no i < k < k' < j such that qk — qt' and rik < rifc'. 
Indeed, if it is the case since there is no successful zero-tests in (gi+i, ni-|_i) ■ • • {qk,nk) ■ ■ ■ {qk'ifT-k') and A 
is deterministic we would obtain from {qk' , nk') an infinite path with no zero-test, a contradiction with the 
existence of {qj,nj). Hence, if there are i < k < k' < j such that qk — qk', then nk' < nk- Now suppose 
that there is i < k < j such that Uk > \Q\. We can extract a subsequence {qig,nig) ■ ■ ■ {qi^,ni^) from 
{qi,ni) ■ ■ ■ {quki'^k) such that ia — i, — k and for < ^ < s, ni,^^ = rii, -|- 1. Consequently, there are 
1,1' such that — qi^, and n^, < n^^, , which leads to a contradiction from the above point. Hence, for 
k £ {«,... , j}, rik < IQI — 1. Since A is deterministic, this implies that (j — i) < \Q\ 'x \Q\- □ 

Let us come back to the rest of the proof. 

First, suppose that ZERO(^) is infinite. Let io < ii < 12 < ... be the infinite sequence composed of 
elements from ZERO(^) (io = 0). There are < \Q\ such that {qi^^rii^) — (qi^, , rii^,) . By Lemma [TUl 
H' < \Q\ X IQp . Take Ki = k and K2 = iv - U- 

Second, suppose that ZERO(^) is finite, say equal to {0,ii, . . . for some I < \Q\ — I {if I > \Q\ we 
are in the first case). By Lemma [TUl ii < {\Q\ — 1) x For all ii < k < fc', if qk = qk', then Uk < Uk' (if 

it were not the case, there would eventually be another zero-test in the path starting with (q^j , rii, )). Now 
there are ii < k < k' < ii + \Q\ such that qk = qk' and consequently Uk < nk' ■ Take Ki — k, K2 = k' — k 
and Kinc — nk' — Uk- We have Kmc ^ \Q\ because fc' — fc < |Q|. □ 

has a simple structure: it is composed of a polynomial-size prefix 

{qo,nQ) ■ ■ ■ {qKi-i,nKi-i) 

followed by the polynomial-size loop {qKi,nKi) ■ ■ ■ {qKi+K2-i,i^Ki+K2-i) repeated infinitely often. The 
effect of applying the loop consists in adding Kmc to every counter value. Testing whether A has an infinite 
run or is accepting amounts to check whether there is an accepting state in the loop, which can be done 
in cubic time in \Q\. In the rest of this section, we assume that is accepting. Similarly, testing whether 
A has a finite accepting run amounts to check whether an accepting state occurs in the prefix or in the loop. 
When Kinc = and A has an infinite run, is exactly 

(qo^no) ■ ■ ■ {qKi~i,nKi-i)i{qKi,nKi) ■ ■ ■ {qKi+K2-i-,nKi+K2-i)T ■ 

It is then possible to apply a polynomial-space labelling algorithm a la CTL for model checking LTL"''''^ 
formulae on A. However, one needs to take care of register valuations, which explains why unlike the 
polynomial-time algorithm for model checking ultimately periodic models on LTL formulae (see e.g., (26|). 
model checking restricted to deterministic automata with Kinc = is still PSPACE-hard (see the proof of 
Proposition [7]) . 

3.3. A P Space symbolic model- checking algorithm 

In this section, we provide decision procedures for solving MC(FO)* and MC(FO)" restricted to deter- 
ministic one-counter automata. Let us introduce some notations. Let = (901 "-o) {<li,ni) {^2,^2) ... be 
the unique run of the deterministic one-counter automaton A. 

We establish that whenever Kinc > 0, two positions with identical counter values are separated by a 
distance that is bounded by a polynomial in \Q\. 

Let us introduce a few constants related to the one-counter automaton A when Kinc > 0. 

• Let Pi, (32 > be the smallest natural numbers such that for every i e [Ki , Ki + K2 — 1] , rii G 
[nKi - l3i,nKi +/32]- 

• Let 7 be the greatest value amongst {no, ... , tiki-i}. 



• L = 1 +7 + 



/3i+fe 



where [■] denotes the ceiling function. 
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Intuitively, the constant LK2 is greater than any distance between two positions belonging to the loop 
of the unique infinite run of A which have the same counter value. The next lemma formalizes this idea. 



Lemma 11. Suppose Kinc > and let i,j be in N. 

1- Ifhj ^ ^1 '^"■'^ I* ~ il ^ LK2, then fii ^ rij. 
2. If i < Ki and j > Ki + LK2, then Ui ^ Uj . 

Proof. (1) Assume that i,i > Ki and {i — j) > LK2- By using the Euclidean division, we introduce 
the following values: ri ^ (i — Ki) mod {K2), r.j — {j — K\) mod (K2) and the quotients and Oj such 
that i — K\ = aiK2 + and j — Ki = ajK2 + rj. Note that < ri,rj < K2 and since (i — j) > LK2, 
we necessarily have ai — aj > L — 1. Using the definition of the constants /3i and P2, we know that 
rir^+Ki : nr-+Ki & {nRi - ■ ■ , + 132}- Since i = aiK2 + ri + Ki and j = ajK2 + rj + Ki, by LemmalU 
we have Ui = nr-+Ki + (^iKinc and Uj — nr-+Ki + CLjKinc- We obtain the following inequalities: 

nxi - /3i + aiKinc < "-i < "Xi + P2 + atK^nc 
nKi - ^1 + ajKinc < rij < uk^ + P2 + aiKinc 

Consequently, 

-Pi - (i2 + {a-i ~ aj)Kinc < rii ~ < (ii + P2 + {ai ~ aj)K^nc 
Considering that (a^ — Oj) > L — 1 and using the definition of L, we obtain: 

< jKinc < - rij 

Hence Ui 7^ Uj. The same proof can be done when we initially assume that [j ~ i) > LK2- 

(2) Let us assume that i < Ki and j > Ki + LK2. Let aj,rj be defined as for the case (1). By using 
the same method, we obtain the following inequality: 

riKi - (^1+ CLjKinc < rij < + /32 + ajKinc 

Sine j32 > 0, we have: 

n-Ki - Pi - h + ajKinc - n-i < nj - m 
Moreover, since j > Ki + LK2, we get aj > L. Consequently, 

nKi - Pi - P2 + LKinc - rii < nj - Ui 

Using the definition of L, we get 

nxi - Pi - P2 + + l)Kinc + Pi + P2 - rii < - Pi - P2 + LKi^c - rii < nj - Ui 
Since 7 x Kmc > rii, we get 

riKi + Kinc < rij - Hi 

Consequently, nj > n^. □ 
Let us introduce the intermediate sets and P^: 

Pi = {(i, j) e{0,...,Ki+LK2- 1}2 I n, - rij and i < j} 
Pi = {(i, j) e {0, . . . , ifi + LK2 - lY I n, = + LK.nc and j < i} 

In the sequel, we write to denote the set P^ U P^. We will now characterize the positions of using 
the set and the constants L, Ki, K2 and Kinc introduced before. 

Lemma 12. Suppose Kinc > and let j > i be in N. Then, Hi = nj iff one the conditions below is true. 
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1. {hj)ePi. 

2. i,j > Ki, (Ki + Ki) mod {LK2),Ki + {j ~ Ki) mod {LK2)) S and (j - i) < LK2. 

Proof. Let j £ N such that i < j. If (1) is satisfied, then by definition of P^, we get rii ~ nj. 

If (2) is satisfied, then let — {i — Ki) mod {LK2), rj = {j — Ki) mod {LK2) and ai,aj be quotients 
such that i — Ki — aiLK2 + Ti and j — Ki = ajLK2 + rj. By Lemma [HI we have rii = nr-+Ki+aiLK2 — 
nr,+Ki + aiLKinc and = nr^+Kx+ajLK2 = "-rj+A'i + ajLKinc- Since {j - i) < LK2, we have {aj ~ 
ai)LK2 + {rj — ri) < LK2- Furthermore, we have by hypothesis {Ki + ri^Ki + rj) S P^. We then 
distinguish two cases. First if {Ki + ri,Ki + rj) € P^, we deduce that < rj and consequently a; = Oj. 
Hence rii = Second if {Ki + r^, + Tj) G P^, we deduce that rj < and consequently Uj — Ui + 1. 
Hence Uj = nr--\-Ki + (a* + ^)LKinc and since + LKinc = Un+Kn we obtain = Uj. 

We now suppose that rii = Jt-j and we perform the following case analysis. 

• Assume that i < Ki and j < Ki. By definition of P}^, we have {i,j) G P)t and the condition (1) is 
therefore satisfied. 

• Assume that i,j> Ki. By Lemma [TTl we have {j — i) < LK2 (otherwise we would have rii 7^ nj). Let 
ri = (i—Ki) mod {LK2), rj = (j — Ki) mod [LK2) and ai,aj be quotients such that i — Ki — aiLK2+ri 
and j — Ki = ajLK2 + rj. By Lemma [HI we have rii — nr-+Ki+aiLK2 = ^r^+Ki + o-iLKinc and 
Tij = ?ir ,;+Ki+a3L_R'2 = '^rj+zfi + o-jLKinc- Wc consider then two cases, according to the satisfaction of 
flj = aj. 

— Suppose Gi = aj. Consequently, rir^+Ki = nr^+Ki and since i < j, we have < rj. Condition 
(2) is therefore satisfied. 

— Suppose ai ^ aj. Since (j — i) < LK2, necessarily, aj — a^ + l. Hence nr^-^-Kl = ni — (ai + l)LKinc, 
and since {aj — ai)LK2 + {rj ~ ri) < LK2, we also have rj < from which we can conclude that 
condition (2) is again satisfied (we also have rirj+Ki + LKinc = ^ri+A'i)- 

• Assume that i < Ki and j > Ki. By Lemma [TTl we have j < Ki + LK2, and consequently {i,j) G P^, 
hence condition (1) is satisfied. 

All the values for i,j are covered by the above analysis. □ 
We show below how to reduce an instance of the mo del- checking problem (restricted to deterministic one- 
counter automata) to an instance of the problem mentioned in Theorem[3|by taking advantage of Lemma ll2l 
First let us build finite words s, t over some finite alphabet E. By Lemma [SJ we can assume that the formula 
(j) belongs to the pure fragment of F0(~, <, 

. j:^{o,...,Ki + lk2-i}. 

• s = {0}-{l}....{ifi-l}. 

• t = {Ki} ■{Ki + l}----{Ki + LK2 - 1}. 

Given a sentence (f) in F0(~, <, -1-1) let us define a sentence T{(j)) in F0^(<, -1-1) according to the definition 
below: 

• r is the identity for atomic formulae of the form x < y and x = y + 1 . 

• r is homomorphic for Boolean connectives and first-order quantification. 

• r(x-y) = (x < yAri(x,y)) V (y < xAri(y,x)) and ri(x,y) is equal to 

(y - x) < LK2 A {x<Ki^ y I{x) A J(y)) A (x > if 1 ^ \/ I{x) A J(y)) 
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Observe that the formula of the form (y — x) < LK2 is a shortcut for a formula in FO*^ (<,+!) of 
polynomial size in |^|. For instance, when x > Ki Ay>ifiAy>x holds, (y — x) < LK2 is equivalent to a 
formula with at most 3 variables, namely 

Ki+LK2-l 

^ l\ Elzx<z<yA /(z). 

Lemma 13. A (f) iff s ■ \^ T{4>). 

Proof. The proof is by structural induction. We show that for each subformula ij) oi(j) and for each variable 
valuation u, A \='^ ij) \S s -f^ ^„ T{il}). Since the formula belongs to the pure fragment of F0(~, <, +1) 
the only case that needs to be checked is for atomic formulae of the form x ^ y. Before giving the rest of the 
proof, we remark that since a is an infinite word s ■ built over the alphabet E = {0, . . . , Ki + LK2 — 1}, 
for all i > Ki, we have a{i) = Ki + (« — Ki) mod {LK2). Let u be a variable valuation such that u(x) 
and u{j) are defined (if u{x) or u{y) is not defined, then it is easy to show that A x ^ y and that 
s-r ^„r(x^y)). 

First we suppose that A ^ Yi this means that the unique infinite accepting run of A satisfies 
|=„ X ~ y. Hence, we have ri„(x) = n^^ij)- We show that s ■ T{yi ^ y). We suppose u(x) < u(y) (the 

proof is similar for the case u(y) < u(x)). We proceed by a case analysis using Lemma [T^ and the definition 

for T(x^y): 

• If u(x) < Ki, then necessarily (M(y) — ^{x)) < LK2. hence (T(?i(x)) = m(x) and a{u{y)) = ""(y), 
furthermore by Lemma [T^ {u{x),u{j)) G P}^, so we have a ^„ r(x ^ y). 

• If u(x) > i^i, again we have (u(y) — u(x)) < LK2 and also f7(u(x)) = Ki + {i — u{x)) mod {LK2) 
and a{u{y)) — Ki + {i — u{y)) mod {LK2). Using Lemma [T^ we have (cr(u(x)), cr(M(y))} G P^^, which 
implies cr ^„ T(x ^ y). 

Now, let us suppose that s ■ ^„ T(x ^ y). Again, we perform a case analysis and we suppose that 
m(x) < u{y) (the proof for the case u(y) < u(x) is the same): 

• If u(x) < Ki then u(y) < Ki + LK2- Hence <t{u{x)) — u{x) and a{u{y)) ~ w(y). Since (w(x),ii(y)) e 

we have n„(x) = n„(y). 

• If u{x) > Ki then (^(y) - u(x)) < ii^2 and {a{u{x)),a{u{y))) £ P^. Since cr(u(x)) = J-iTi + (i - 
u(x)) mod {LK2) and (7(it(y)) = Ki + (i — ''^(y)) mod {LK2), we obtain using Lemma [T^ that nu(x) = 

□ 

This allows us to characterize the complexity of model checking. 
Theorem 14. MC(FO)" restricted to deterministic one-counter automata is PSPACE-complete. 

Proof. Let ^ be a one-counter automaton and (/) he a pure formula in F0(^, <, +1). If either A has no 
infinite run or its infinite run is not accepting, then this can be checked in polynomial-time in |^|. In that 
case A (j) does not hold. Moreover, observe that if A has no infinite run, then the length of the maximal 
finite run is in 0{\Q\'^) by using arguments from Lemma El 

In the case A has an infinite accepting run and Kmc > 0, as shown previously the prefixes s, t as well as the 
formula T{(f>) can be computed in in polynomial time in |.A| -|- Moreover, by Theorem |4]j26|, s-f^ \= T{if>) 
can be checked in polynomial space in \s\ + \t\ + \T{(p)\. In the case Ki„c = 0, the prefixes s and t are defined 
as follows with S = {0,...,Ki+K2-l}: s = {0}-{l} • • --{ifi-l} and t = {Ki}-{Ki + l} ■ ■ ■■{K1 + K2-I}. 
The map r(-) is defined as previouly except that T(x '~ y) = V(/ j)eP^ ^ "^(y) '^ith P^ = {{i,j) £ 
{0,...,Ki+K2-l}^ \n^^nJ}. 

Hence, PureMC(FO)'^ is in polynomial space. Using the Purification LemmalHl we deduce that MC(FO)'^ 
is also in polynomial space. The P Space- hardness is a consequence of the P Space- hardness of MC(LTL)'^ 
(since there is an obvious logspace translation from LTL*^ into F0«(~,<,+1)). □ 
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Theorem 15. MC(FO)* restricted to deterministic one-counter automata is PSPACE-complete. 

Proof. Let ^ be a one-counter automaton and be a pure formula in F0(^, <, +1). If A has an infinite 
run, tlien the finite words s and t are computed as in the infinitary case. We then need another intermediate 
set Pp which will characterize the positions of the unique run labelled with an accepting state: 

PF = {ie{0,...,Ki+ LK2 - 1} I e F} 

The pure formula (j) is then translated into 

I<£Pf 

where T'((j)) is defined as T((j)) for the infinitary case except that the clause for first-order quantification be- 
comes T'(3 X ■)/))= 3 X X < Xend A T'{iIj) (relativization) . As in the proof of TheoremO we get the PSpace 
upper bound for MC(FO)*. In the case A has no infinite run, then the lengh K of the maximal finite run is in 
C'dQI'^) and it can therefore be computed in polynomial-time. The prefixes s and t are defined as follows with 

S = {0, . . . , iiT - 1, _L}: s = {0} • {1} {A' — 1} and t = {±}. The map T(-) is defined as previouly except 

that T{x ~ y) = V{/,j)eP'» ^ ^ij) ^i^h Pt = {{ij) e {0, . . . , K - l}^ \ n, ^ n^}. The pure formula 4> 
is translated into 3 Xe„d (V/ep^ I{xend))A^ ± (xe„<j) Ar'(0), with P^ ^ {i e {0, . . . , K - 1} \ q, e F}. The 
formula T' {<j)) is defined as T{(j)) for the infinitary case except that the clause for first-order quantification 
becomes T'(3 x i/j) = 3 x x < Xe„d A r'(V'). □ 

This improves the complexity bounds from [s^. Using the translation from LTL"'' into F0(^,<,+1) 
from Lemma [21 we deduce the following corollary. 

Corollary 16. MC(LTL)* and MC(LTL)" are PSPACE-complete. 

4. Model checking nondeterministic one-counter automata 

In this section, we show that several model-checking problems over nondeterministic one-counter au- 
tomata are undecidable by reducing decision problems for Minsky machines by following a principle intro- 
duced in (ll| . Undecidability is preserved even in presence of a unique register. This is quite surprising 
since ^-SAT-LTL-I- restricted to one register and satisfiability for F02(~, <, +1) are decidable 

In order to illustrate the significance of the following results, it is worth recalling that the halting 
problem for Minsky machines with incrementing errors is reducible to finitary satisfiability for LTL with 
one register [8|. We show below that, if we have existential model checking of one-counter automata instead 
of satisfiability, then we can use one-counter automata to refine the reduction in [8] so that runs with 
incrementing errors are excluded. More precisely, in the reduction in [8||, we were not able to exclude 
incrementing errors because the logic is too weak to express that, for every decrement, the datum labelling 
it was seen before (remember that we have no past operators). Now, the one-counter automata are used to 
ensure that such faulty decrements cannot occur. 

Theorem 17. MC(LTL)J restricted to formulae using only the temporal operators X and F is Yi^-complete. 

Proof. The upper bound is by an easy verification since the existence of a finite run (encoded in N) 

verifying an LTL^'*^ formula (encoded in first-order arithmetic) can be encoded by a formula. So, let us 

reduce the halting problem for two-counter automata to MC(LTL)* restricted to {X, F}. Let A = {Q, qi, S, F) 

be a two-counter automaton: the set of instructions L is {inc, dec, if zero} x {1,2}. Without any loss of 

generality, we can assume that all the instructions from qj are incrementations. We build a one-counter 

I o' 

automaton B — {Q' , q'i,5' , F') and a sentence 4> in LTLj such that A reaches an accepting state iff B \=* 4>. 
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For each run in A of the form 



















^ 4 



where the inst^'s are instructions, we associate a run in B of the form below: 







1 1^1 ^2 



where hides steps for updating the counter according to the constraints described below. The set of states 
Q' will contain the set of transitions d from A. 

We first define the one-counter automaton B — {Q' , q'j, 5' , F'). In order to ease the presentation, the 
construction of B is mainly provided graphically. 

• Q' is the following set of states: 

Q'= (5W{g/}tt){io} 

^^■last^-^last \ {q^ inc, c, q') G S} 

I t = {q, dec, c,q') £ 6} 
y{^do«,n \ t= {q, if zero, c, q') G 6} 

aux 

where Qaux is a set of auxiliary states that we do not specify (but which can be identified as the states 
with no label in Figures SI [5] and [5]), 

• F' is the set of states {zq \ q G F}. 

• The transition relation S' is the smallest transition relation satisfying the conditions below: 

— The transitions in Figure [3] belong to 6'. 

— For each incrementation transition t — {qj, inc,c, q), the transitions in Figure U] belong to d' . 

— For each decrementation transition t = {qi, dec, c, q), the transitions in Figure [5] belong to 6' . 

— For each zero-test transition t = {qi, ifzero, c, q), the transitions in Figure [5] belong to S' . 




Figure 3: Initial transitions in 5' 

In runs of B, we are only interested in configurations whose state belongs to S. The structure of B ensures 
that the sequence of transitions in A is valid assuming that we ignore the intermediate (auxiliary or busy) 
configurations 

Before defining the formula cj), let us introduce a few intermediate formulae that allow us to check whether 
the current configuration has a state belonging to a specific set. For each counter i G {1,2}, we define the 
formulae below: 

• li is the disjunction of io with all the transitions t that increment the counter i in A, hence li = 

*0 V V{te<5|t=(q,lnc,'i,q')} ^■ 
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iiic dec 

Figure 5; Gadget in B for encoding a decrementation from A 
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Di is the disjunction of io with aU the transitions t that decrement the counter i in A, hence Di = 

*0 V V{te5|t=(g,dec,i,g'>} *" 

jiast disjunction of all states of the form 4"*** where t is a transition that increments the counter 



last \ / -last 



{teS\t={q,inc,i,q')} H 



i, hence /|"'** = V 

• 77''*** is the disjunction of all states of the form j^''"^* where t is a transition that increments the 
counter i, hence 7^'««* = V{te5|t=(</,inc,i,g')} 

• £)last jg ^jjg disjunction of all states of the form dj"** where t is a transition that decrements the counter 
i, hence D^-* = V{te5|t=(,,dec,i,,'>} '^i"'*" 

• D""'"^* is the disjunction of all states of the form d^'"** where t is a transition that decrements the 
counter i, hence = V{te5|t=(5,dec,i,g')} 

• is the disjunction of all the transitions t that test to zero the counter i in A, hence Zi = 

y {teS\t={q,ilzero,i,q')} 

• Zf""^"^ is the disjunction of the states of the form 0^°"'" where f is a zero-test on the counter i, hence 

ydown \ / ^down 

— V{te5|t={g,lfzero,i,g'>} * 

In order to define cf), we take advantage of the structure of B so that to match runs of B with runs of 
A. A crucial idea consists in associating to each action on one of the two counters, a natural number so 
that an incrementation gets a new value. Moreover, we require that the natural number associated to an 
incrementation is obtained by increasing by one the natural number associated to the previous incrementa- 
tion. We satisfy a similar property for the natural numbers associated to decrementations except that these 
values should not exceed the value associated to the previous incrementation. In this way, we guarantee 
that there are no more decrementations than incrementations. In order to simulate the zero-test, we reach 
a value above all the values that have been used so far. Then we check that for all the smaller values that 
are associated to an incrementation, it is also associated to a decrementation (for the same counter). 

In the following formulae, we use G"*" and F"*" to represent the formulae XG and XF, respectively. We also 
omit the subscript "1" in li and fi because we assume that we always use the same register. For each 
counter i G {1,2}, we define the following formulae: 

(i) After each configuration satisfying 7j, there is no strict future configuration satisfying 7j with the same 
data value: 

G(/, G+(/, =^-t)) 

(ii) After each configuration satisfying Di, there is no strict future configuration satisfying Di with the 
same data value: 

g(A G+(A^-t)) 

(iii) After each configuration satisfying Di, there is no strict future configuration satisfying /j with the 
same data value: 

G(A G+(7i^-t)) 

(iv) When a new data value is needed for an incrementation of the counter i, the chosen value is exactly 
the next value after the greatest value used so far for an incrementation of the counter i: 

G{I, ii A t) F(/^'^'^*A t))) 

AG ((7^'^^* V 7^^'""*) G+(7i ^ -. t)) 

(v) When a new data value is needed for a decrementation of the counter i, the chosen value is exactly 
the next value after the greatest value used so far for a decrementation of the counter i: 

G(A a F(D7'"''*A t) F(7?^"-'*A t))) 
AG((£)^°^* V ^4, G+{Di ^ - t)) 
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(vi) The data value associated to a decrementation of the counter i is never strictly greater than the 
greatest previous value used in incrementations of the counter i: 

G{li ^ (; F(D7'"''*A t) F(/^"'^*A t))) 
AG(/, {i F(D^"''*A t) =^4- F(/-°''*A t))) 

(vii) For each configuration satisfying Zi, the associated data value is always strictly greater than the 
greatest previous value used in incrementations of the counter i : 

G(/, G(Z, ^ - t)) 

(viii) When the automaton B is in the decrementing slope to encode a zero-test in A, which means when 
the formula Zf"^"" is satisfied, and when a data value already used for an incrementation is met, then 
the same data value is used previously for a decrementation in B: 

-f(/,A ; F(Zf°"'"A t) A - ; F(t AA)) A ^F(Zf°'""A i F(AA t)) 

Let us recall the book-keeping of the values. 

• A new value used for an incrementation is always one plus the greatest value used so far for an 
incrementation (see (iv)). The first counter value for an incrementation is 2. 

• A new value used for decrementation is always 1 + the greatest value used so far for a decrementation 
(see (v)), and is always smaller or equal to the greatest value used so for a incrementation (see (vi)). 
The first counter value for a decrementation is 2. 

• Zero-tests consist in: 

(1) going to a value strictly greater than any value used so far for incrementations (encoded in B and 
see (vii)), 

(2) then decrementing the counter to zero (encoded in B) and whenever a value is met that is used 
for an incrementation, check that a corresponding decrementation has occured before (see (viii)). 

In order to ease the comprehension, we explain why the rule (vi) ensures that the value associated to 
a decrementation of the counter i is never strictly greater than the value used for the last incrementation 
of the same counter i. First, we assume that the rules (i)-(vi) are satisfied and ad absurdum we suppose 
that the value used for a decrementation is strictly greater than the value used for the last incrementation 
of the counter i. If this value is greater of exactly one unit, then we are in the case of the second line of 
the formula given by the rule (vi). Hence, there must exist an incrementation with the same value as the 
one for the decrementation, and this incrementation necessarily happens between the first considered incre- 
mentation and the decrementation, according to the rules (i)-(iii). This leads to a contradiction because 
the first considered incrementation is not the last one. Secondly, suppose that the value associated to the 
decrementation is greater of k units with fc > 1. We are in the case of the first line of the formula given by 
the rule (vi) , and consequently there exists an incrementation after the first considered incrementation which 
has an associated value greater of one unit. The last line of the formula of the rule (vi) ensures that this 
incrementation occurs necessarily before the decrementation, which leads again to a contradiction, because 
the first considered incrementation cannot be the last one. 

Figure[7]gives an example of the beginning of a run of B which respects the rules (i)-(viii) and that encodes 
the following sequence of instructions (inc, 1), (inc, 1), (dec, 1), (dec, 1), (if zero, 1). In the decreasing part 
after the position labeled by Zi , each value used in a previous incrementation can be matched with a value 
associated to a decrementation. The formula is defined as the conjunction of (i)-(viii) plus (ix) that 
specifies that a state in F' is reached. Now consider any run of B which satisfies (i)-(viii). For any counter 
c £ {1,2}, we can define its value as the number of It letters with t of the form (g, inc, c, g') for which a 
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Counter 
Value 




(inc, 1) (inc, 1) (dec, 1) (dec, 1) (if zero, 1) 



Figure 7: Run for B satisfying the rules (i)— (viii) 
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later letter {qi,dec,c,q[) with the same value of the counter B has not yet occurred. We will now prove 
that B \=* (f> a and only if the automaton A has an accepting run. 

Let p = (po)0) ^ (pi,ni) -V (j)2,n2) ■ ■ ■ {qm^nm) be a finite run of S satisfying the rules (i)-(viii) and such 
that po = (Z/ and Pm = q for some q G Q. We consider the sequence of indices ii,. . . ,ik S {0, . . . , m} such 

that for all j G {!,..., m}, pi^ £ 5 and such that there is no z G {1, . . . , m} with Pi £ S and i ^ {ii, . . . , i/j}. 
We will show that the sequence Pi^Pi2 ■ ■ ■ Pi^ induces a run of A. This means that there exist k configurations 

ci, C2, . . . c/j G Q X such that (g/, 0, 0) ci C2 . . . ^ Cfe is a run of A. 

The proof is by induction on k. li k = 1, then by construction of the automaton B, there exist i G {1, 2} 
and q' € Q such that pi^ = (go, inc, i,q'). This is simply due to the fact that we have assumed that any 
instruction starting in qj is an incrementation. Since it is always possible to perform an incrementation, 

there is a configuration ci G Q x such that (g/,0,0) ^ ci. 

We suppose that the property is true for k and we show that it also holds for k + 1. 
First, let us write down the properties verified by the sequence 

{pi„,n,„),...,{pi^,n,J 

made of configurations of B. For each counter i G {1,2}, we write Inci to denote the set {j G {1, . . . , fc} | 
Pi- is of the form (g, inc, i, q')} and Deci to denote the set {j G {1, . . . ,k} \ pi- is of the form {q, dec, i, q')}. 
Let i be one of the counters in {1,2}. The rule (i) ensures that for every j G InCi, rii. > 1, and for all 
j,^ G InCi, rii- ^ Tiig. This is because io is a disjunct of the counter value in the state io is always 1 and 
for all j G Inci, pi- satisfies Ii. Furthermore the rule (iv) implies that for all j,l G Inci such that j < £, if 
there is no j' G Inci such that j < j' < £, then necessarily n^^ = rii. +1- Moreover, if j is the smallest index 
of Inci then rii- =2. In fact, if j is the smallest index of InCi, then rii- is greater or equal to 2 (because 
the integer value in io is always 1). If rii- is strictly greater than 2, then the run of B should reach a state 
that satisfies or with a value equal to 2, but since j is the smallest index of /nc^, the rule (iv) 

would not be satisfied. To show the other property about the indices in InCi, this can be done by induction 
on the indices of Inci by using again the rule (iv). Similarly, it can be proved that the set Deci verifies the 
same properties. Hence, {iii. \ j G Ina} = {2, . . . , [/nci| + 1} and {n^^ | j G Deci} = {2, . . . , \Deci\ + 1}. 
Finally, the rule (vi) guarantees that for every j G DeCi , there is £ G InCi such that ic < ij and rii^ < . 
By combining these different properties, we deduce that |£>eci| < |/nci|. 

Wc suppose that p^^, = (q, a', i' , q'). By construction of B, we havcp^^^^ = (g', a, i, q"). If a is equal to inc, 
then the property is satisfied because an incrementation can always be performed (unlike decrementations 
and zero-tests). Now, suppose that a = dec. The transition ftj,.,.! = {q',a,i,q") is not firable only if 
\DeCi\ = \Inci\ (the number of incrementations is equal to the number of decrementations). This situation 
cannot occur since p satisfies the rules (i) — (viii), and therefore ni^_^_^ = n^^ + 1 where H is the greatest index 
of |Deci| and there exists h G \Inci\ such that ih < ik+i and ni^_^_.^ < Uif^. Hence, if |Decj| = |/nci|, according 
to the previous properties, we would have that there exists j G Deci such that r?,i,^ = Ui. and consequently 
nin + ^ < ni- which leads to a contradiction (by definition of H). Now, suppose that a = ifzero. The 
transition is not firable only if \InCi\ > \DeCi\ (there are more incrementations than decrementations). 
This situation cannot occur since p satisfies the rules (i)— (viii) and according to the rule (vii) and to the 
properties verified by /ncj, for all j G InCi, rii. < ^ik+i- After the ife+ith configuration, the rii^j^^ next 
configurations contain a state that satisfies Zf°'^'^. If \Inci\ > \Deci\ , then this means that there is an index 
h G Inci such that for all j G Deci, rii- < rii^ and there exists also I G {ik+i, ■ ■ ■ , ife+i + f^ik+i} such that pi 
satisfies Zf"^"- and n; = n/^, which is in contradiction with the rule (viii). 

We conclude that if p is a finite run of B satisfying the rules (i)-(viii) and visiting a state Zq in F' then 
there is a corresponding run in the two-counter automaton A starting from the initial configuration (g/, 0, 0) 
and visiting the accepting state g. 

Now, we consider a run of A of the form (g/, 0, 0) ^ ci ^ ... Ch- We show how to build a run of the 
one-counter automaton B, (po,0) — > (pi,ni) —>■...—>■ (pm,nm) with po = qi and pm = Zq for some q G Q. 
We introduce similar notations as in the converse case. For such a run, we consider the sequence of indices 
ii,. . . ,ik G {0, . . . , m} such that for all j G {1, . . . , m}, Pi- G S and such that there is no i G {1, . . . , m} veri- 
fying Pi G S and i ^ {ii, . . . , ik}- For each counter i G {1, 2}, we write Inci to denote the set {j G {0, . . . , fc} | 
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Pij is of the form {q, inc, i, q')} and DeCi to denote the set {j £ {0, . . . , fc} | pi. is of the form {q, dec, i, g')}. 
Finally, we define the set Zeroi = {j € {0, . . . , fc} | pi. is of the form {q, if zero, i, q')}. We build a run p of 
B such that the following properties are verified : 

(a) k — h and for all j £ {1, . . . , fc}, pi. — tj-i, 

(b) if j is the smallest index of Inci, then n^^. = 2, 

(c) if J is the smallest index of DeCi, then =2, 

(d) for all j,£ G Inci such that j < if there is no j' G /nci such that j < j' < £, then ni^, — rii. +1, 

(e) for all j, £ g DeCi such that j < £, if there is no j' G /nci such that j < j' < ^,then rii^ = n^^. + 1, 

(f) for all j G Deci, there exists £ G Inci such that ii < ij and rii^. < Ui^, 

(g) for all j G ZerOi, and for all G /nci such that ii < ij, we have rii^ < rii. and there is m G InCi such 
that i„i < ij and n^^. = + 1. 

By construction of B, it is possible to build a run p oi B that satisfies the properties (a)-(g). 

Now, we suppose that p is a run of B verifying these properties and it remains to check that p satisfies 
the rules (i)-(viii). First, we consider the rules (i)-(ii). These two rules are satisfied because all the elements 
of Inci and of DeCi are built with distinct values for incrementations and decrementations. The rule (iii) is 
satisfied because of the properties (e) and (f). The rule (iv) is satisfied, because if the run is in a position ij 
with j G Inci and if there exists a position £ in the future which satisfies 7^"^'"^*^ then there exists a position 
iji such that £ < iji with j' G InCi and rii., > rii. + 1 (by construction of B and by (d)). Moreover, the 
definition of B implies there exists a position h such that ij < h < £, h satisfies 7^?'^'**^ — rii. , qh+i satisfies 
Ii and rih+i =71.^ +1 . Similar arguments are used to establish that the rule (v) is satisfied by using (c) and 
(e). The rule (vi) is satisfied because of the property (f). Finally the rules (vii)-(viii) are satisfied by using 
(g) and the properties about the sets Inci and DeCi. Hence if there is a run of A leaving from (g/, 0, 0) and 
visiting a state q in F, we can build a finite run p of B such that p \^ (f>. 

Furthermore the formula (f> uses only the temporal operators X and F (the operator G can be easily 
obtained from F). □ 

Theorem 18. MC(LTL)" restricted to {X,F} is T\-complete. 

The proof is similar to the proof of Theorem [T7] except that instead of reducing the halting problem for 
Minsky machines, we reduce the recurrence problem for nondeterministic Minsky machines that is known 
to be Sj-hard [20|. The Y\ upper bound is by an easy verification since an accepting run can be viewed as 
a function / : N — N and then checking that it satisfies an LTL^''^ formula can be expressed in first-order 
arithmetic. Another consequence of the Purification Lemma is the result below. 

Theorem 19. PureMC(LTL)* restricted to {X,F} is YP^- complete. PureMC(LTL)^ restricted to {X,F} is 
Yi\-complete. 

This refines results stated in (30| . 

Using Theorem 3.2(a) in [il, we can obtain the following corollary by a direct analysis of the formulae 
involved in the proof of Theorem [T7] (every temporal operator is prefixed by a freeze operator or can occur 
equivalently in such a form). 

Corollary 20. MC(F0)2 [resp. MC(F0)2/ without the predicate +1 is Yi\-complete [resp. Yi\-complete] and 
PureMC(F0)4 [resp. PureMC(F0)4/ is Y.l-complete [resp. Y\- complete]. 

The absence of the predicate +1 in the above corollary is due to the fact that in the proof of Theorem [T71 
X occurs only to encode F"*" and G+. The above-mentioned undecidability is true even if we restrict ourselves 
to one-counter automata for which there are no transitions with identical instructions leaving from the same 
state. A one-counter automaton A is weakly deterministic whenever for every state q, if (g, Z, g'), (g, /', q") G 5, 
we have I = I' implies q' = q". The transition systems induced by these automata are not necessarily 
deterministic. 
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Theorem 21. PureMC(LTL)J [resp. PureMC(LTL)"y restricted to weakly deterministic one-counter au- 
tomata is Yil- complete [resp. T,\- complete]. 

Proof. In the proof of the Purification Lemma, weak determinisn of the one-counter automata is pre- 
served. It is sufficient to show that given a one-counter automaton A and a sentence (j> in LTL"'"'^, one can 
compute a weakly deterministic automaton A' and 0' in LTL^'"''' {Q C Q') such that A\=* (j) [resp. A \='^ </> 
I iff^' h* 0' [resp. A' K f]- 

Figure [H] illustrates with examples how transitions from a state with identical instructions can be trans- 
formed so that to obtain a weakly deterministic automaton. In Figure [BJ we have omitted the transitions 
labelled by a zero-test or a decrementation when they are never fired. This can be easily generalized to all 
the transitions of A. The formula 0' is defined as T(0) with the map T that is homomorphic for Boolean 
operators and ].r, and its restriction to atomic formulae is identity. It remains to define the map for the 
temporal operators, which corresponds to perform a relativization: 

. T(0iU^2) - ((V,eQ q) T(<^i))u( V,eQ 1 A T(</.2)) , 

. T{x^) = x((- V,eQ q) u (V,eQ q a t(^))) . 

It can be easily proved that A' and </>' satisfy the desired properties. □ 



5. Conclusion 

In the paper, we have studied complexity issues related to the model-checking problem for LTL with 
registers over one-counter automata. Our results are quite different from those for satisfiability. We have 
shown that model checking LTL''' restricted to the operators {X,F} and F02(~, <, -|-1) over one-counter 
automata is undecidable, which contrasts with the decidability of many verification problems for one-counter 
automata [53, 28, [2^ and with the results in 0, @|. For instance, we have shown that model checking 
nondeterministic one-counter automata over LTL"^ restricted to a unique register and without alphabet 
[resp. F02(~,<,+1)] is already E}-complete in the infinitary case. On the decidability side, the PSpace 
upper bound for model checking LTL"*" and F0('-~^, <, +1) over deterministic one-counter automata in the 
infinitary and finitary cases is established by using in an essential way [26| (and simplifying the proofs 
from (30|). In particular, we have established that the runs of deterministic one-counter automata admit 
descriptions that require polynomial size only. Hence, our results essentially deal with LTL with registers but 
they can be also understood as a contribution to refine the decidability border for problems on one-counter 
automata. 

Viewing runs as data words is an idea that can be pushed further. Indeed, our results pave the way 
for model checking memoryful (linear-time) logics (possibly extended to multicounters) over other classes of 
operational models that are known to admit powerful techniques for solving verification tasks. For instance, 
the reachability relation is known to be Presburger-definable for reversal-bounded counter automata fs^l. 
Nevertheless, model checking LTL"*" over this class of counter machines has been recently shown undecid- 
able [13; other subclasses of counter machines for which the reachability problem is decidable have been 
considered in this recent work. 

Acknowledgement: We would like to thank Philippe Schnoebelen for suggesting simplifications in the 
proofs of Lemma [S] and Proposition [7] and Luc Segoufin for fruitful discussions that lead us to improve 
significantly the results from [SOj. 
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